[Snort-users] writing snort rules

tyler at ...4440... tyler at ...4440...
Tue Feb 26 13:12:10 EST 2002


umm...
 
what do you want this rule to DO?
 
alert ip $HOME_NET any -> any any (msg: "foo";)
 
tf.

-----Original Message-----
From: Peter.VE at ...1187... [mailto:Peter.VE at ...1187...]
Sent: Tuesday, February 26, 2002 3:19 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] writing snort rules



Hi all,
 
After 4 months of testing snort (with success), I want to start writing my
own snort rules.
Are there any faq's out there ? tips&tricks ?
 
for example :
how can I detect any type of traffic (tcp or udp, on all ports), from the
inside (so from $HOME_NET), to a given IP on the internet (to any) ?
THis seems like an easy rule to write, but it doesn't work...
 
a little bit of help is greatly appreciated
 
thanks
 
 
 
_______________________________________________ Snort-users mailing list
Snort-users at lists.sourceforge.net Go to this URL to change user options or
unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster at ...4441...
**********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020226/a9c558e9/attachment.html>


More information about the Snort-users mailing list